Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)
RFC 9200
Document | Type | RFC - Proposed Standard (August 2022) | |
---|---|---|---|
Authors | Ludwig Seitz , Göran Selander , Erik Wahlstroem , Samuel Erdtman , Hannes Tschofenig | ||
Last updated | 2022-08-31 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
IESG | Responsible AD | Benjamin Kaduk | |
Send notices to | (None) |
RFC 9200
quot;, a value that the temperature sensor identifies itself with. The AS evaluates the request and authorizes the client to access the resource. B: The AS responds with a 2.05 (Content) response containing the Access Information, including the access token. The PoP access token contains the public key of the client, and the Access Information contains the public key of the RS. For communication security, this example uses DTLS RawPublicKey between the client and the RS. The issued token will have a short validity time, i.e., exp close to iat, in order to mitigate attacks using stolen client credentials. The token includes claims, such as scope, with the authorized access that an owner of the temperature device can enjoy. In this example, the scope claim issued by the AS informs the RS that the owner of the token that can prove the possession of a key is authorized to make a GET request against the /temperature resource and a POST request on the /firmware resource. Note that the syntax and semantics of the scope claim are application specific. Note: In this example, it is assumed that the client knows what resource it wants to access and is therefore able to request specific audience and scope claims for the access token. Authorization Client Server | | |<=======>| DTLS Connection Establishment | | and mutual authentication | | A: +-------->| Header: POST (Code=0.02) | POST | Uri-Path:"token" | | Content-Format: application/ace+cbor | | Payload: <Request-Payload> | | B: |<--------+ Header: 2.05 Content | 2.05 | Content-Format: application/ace+cbor | | Payload: <Response-Payload> | | Figure 11: Token Request and Response Using Client Credentials The information contained in the Request-Payload and the Response- Payload is shown in Figure 12. Note that the parameter rs_cnf from [RFC9201] is used to inform the client about the resource server's public key. Request-Payload : { / audience / 5 : "tempSensorInLivingRoom", / client_id / 24 : "myclient", / req_cnf / 4 : { / COSE_Key / 1 : { / kid / 2 : b64'1Bg8vub9tLe1gHMzV76e', / kty / 1 : 2 / EC2 /, / crv / -1 : 1 / P-256 /, / x / -2 : b64'f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU', / y / -3 : b64'x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0' } } } Response-Payload : { / access_token / 1 : b64'0INDoQEKoQVNKkXfb7xaWqMT'/ .../, / rs_cnf / 41 : { / COSE_Key / 1 : { / kid / 2 : b64'c29tZSBwdWJsaWMga2V5IGlk', / kty / 1 : 2 / EC2 /, / crv / -1 : 1 / P-256 /, / x / -2 : b64'MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4', / y / -3 : b64'4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM' } } } Figure 12: Request and Response Payload Details The content of the access token is shown in Figure 13. { / aud / 3 : "tempSensorInLivingRoom", / iat / 6 : 1563451500, / exp / 4 : 1563453000, / scope / 9 : "temperature_g firmware_p", / cnf / 8 : { / COSE_Key / 1 : { / kid / 2 : b64'1Bg8vub9tLe1gHMzV76e', / kty / 1 : 2 / EC2 /, / crv / -1 : 1 / P-256 /, / x / -2 : b64'f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU', / y / -3 : b64'x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0' } } } Figure 13: Access Token Including Public Key of the Client Messages C and F are shown in Figures 14 and 15. C: The client then sends the PoP access token to the authz-info endpoint at the RS. This is a plain CoAP POST request, i.e., no transport or application-layer security is used between the client and RS since the token is integrity protected between the AS and RS. The RS verifies that the PoP access token was created by a known and trusted AS, which it applies to this RS, and that it is valid. The RS caches the security context together with authorization information about this client contained in the PoP access token. Resource Client Server | | C: +-------->| Header: POST (Code=0.02) | POST | Uri-Path:"authz-info" | | Payload: 0INDoQEKoQVN ... | | |<--------+ Header: 2.04 Changed | 2.04 | | | Figure 14: Access Token Provisioning to the RS The client and the RS runs the DTLS handshake using the raw public keys established in steps B and C. The client sends a CoAP GET request to /temperature on the RS over DTLS. The RS verifies that the request is authorized based on previously established security context. F: The RS responds over the same DTLS channel with a CoAP 2.05 Content response containing a resource representation as payload. Resource Client Server | | |<=======>| DTLS Connection Establishment | | using Raw Public Keys | | +-------->| Header: GET (Code=0.01) | GET | Uri-Path: "temperature" | | | | | | F: |<--------+ Header: 2.05 Content | 2.05 | Payload: <sensor value> | | Figure 15: Resource Request and Response Protected by DTLS F.2. Introspection Aided Token Validation In this deployment scenario, it is assumed that a client is not able to access the AS at the time of the access request, whereas the RS is assumed to be connected to the back-end infrastructure. Thus, the RS can make use of token introspection. This access procedure involves steps (A)-(F) of Figure 1 but assumes steps (A) and (B) have been carried out during a phase when the client had connectivity to the AS. Since the client is assumed to be offline, at least for a certain period of time, a preprovisioned access token has to be long lived. Since the client is constrained, the token will not be self-contained (i.e., not a CWT) but instead just a reference. The resource server uses its connectivity to learn about the claims associated to the access token by using introspection, which is shown in the example below. In the example, interactions between an offline client (key fob), an RS (online lock), and an AS is shown. It is assumed that there is a provisioning step where the client has access to the AS. This corresponds to message exchanges A and B, which are shown in Figure 16. Authorization consent from the resource owner can be preconfigured, but it can also be provided via an interactive flow with the resource owner. An example of this for the key fob case could be that the resource owner has a connected car and buys a generic key to use with the car. To authorize the key fob, the owner connects it to a computer that then provides the UI for the device. After that, OAuth 2.0 implicit flow can be used to authorize the key for the car at the car manufacturer's AS. Note: In this example, the client does not know the exact door it will be used to access since the token request is not sent at the time of access. So the scope and audience parameters are set quite wide to start with, while tailored values narrowing down the claims to the specific RS being accessed can be provided to that RS during an introspection step. A: The client sends a CoAP POST request to the token endpoint at the AS. The request contains the audience parameter set to "PACS1337" (Physical Access System (PACS)), a value that identifies the physical access control system to which the individual doors are connected. The AS generates an access token as an opaque string, which it can match to the specific client and the targeted audience. It furthermore generates a symmetric proof-of-possession key. The communication security and authentication between the client and AS is assumed to have been provided at the transport layer (e.g., via DTLS) using a pre- shared security context (pre-shared key (PSK), RPK, or certificate). B: The AS responds with a CoAP 2.05 Content response, containing as payload the Access Information, including the access token and the symmetric proof-of-possession key. Communication security between the C and RS will be DTLS and PreSharedKey. The PoP key is used as the PreSharedKey. Note: In this example, we are using a symmetric key for a multi-RS audience, which is not recommended normally (see Section 6.9). However, in this case, the risk is deemed to be acceptable, since all the doors are part of the same physical access control system; therefore, the risk of a malicious RS impersonating the client towards another RS is low. Authorization Client Server | | |<=======>| DTLS Connection Establishment | | and mutual authentication | | A: +-------->| Header: POST (Code=0.02) | POST | Uri-Path:"token" | | Content-Format: application/ace+cbor | | Payload: <Request-Payload> | | B: |<--------+ Header: 2.05 Content | | Content-Format: application/ace+cbor | 2.05 | Payload: <Response-Payload> | | Figure 16: Token Request and Response Using Client Credentials The information contained in the Request-Payload and the Response- Payload is shown in Figure 17. Request-Payload: { / client_id / 24 : "keyfob", / audience / 5 : "PACS1337" } Response-Payload: { / access_token / 1 : b64'VGVzdCB0b2tlbg', / cnf / 8 : { / COSE_Key / 1 : { / kid / 2 : b64'c29tZSBwdWJsaWMga2V5IGlk', / kty / 1 : 4 / Symmetric /, / k / -1 : b64'ZoRSOrFzN_FzUA5XKMYoVHyzff5oRJxl-IXRtztJ6uE' } } } Figure 17: Request and Response Payload for the C Offline In this case, the access token is just an opaque byte string referencing the authorization information at the AS. C: Next, the client POSTs the access token to the authz-info endpoint in the RS. This is a plain CoAP request, i.e., no DTLS between the client and RS. Since the token is an opaque string, the RS cannot verify it on its own, and thus defers to respond to the client with a status code until after step E. D: The RS sends the token to the introspection endpoint on the AS using a CoAP POST request. In this example, the RS and AS are assumed to have performed mutual authentication using a pre- shared security context (PSK, RPK, or certificate) with the RS acting as the DTLS client. E: The AS provides the introspection response (2.05 Content) containing parameters about the token. This includes the confirmation key (cnf) parameter that allows the RS to verify the client's proof of possession in step F. Note that our example in Figure 19 assumes a preestablished key (e.g., one used by the client and the RS for a previous token) that is now only referenced by its key identifier kid. After receiving message E, the RS responds to the client's POST in step C with the CoAP response code 2.01 (Created). Resource Client Server | | C: +-------->| Header: POST (T=CON, Code=0.02) | POST | Uri-Path:"authz-info" | | Payload: b64'VGVzdCB0b2tlbg' | | | | Authorization | | Server | | | | D: +--------->| Header: POST (Code=0.02) | | POST | Uri-Path: "introspect" | | | Content-Format: application/ace+cbor | | | Payload: <Request-Payload> | | | | E: |<---------+ Header: 2.05 Content | | 2.05 | Content-Format: application/ace+cbor | | | Payload: <Response-Payload> | | | | | |<--------+ Header: 2.01 Created | 2.01 | | | Figure 18: Token Introspection for the C Offline The information contained in the Request-Payload and the Response- Payload is shown in Figure 19. Request-Payload: { / token / 11 : b64'VGVzdCB0b2tlbg', / client_id / 24 : "FrontDoor" } Response-Payload: { / active / 10 : true, / aud / 3 : "lockOfDoor4711", / scope / 9 : "open close", / iat / 6 : 1563454000, / cnf / 8 : { / kid / 3 : b64'c29tZSBwdWJsaWMga2V5IGlk' } } Figure 19: Request and Response Payload for Introspection The client uses the symmetric PoP key to establish a DTLS PreSharedKey secure connection to the RS. The CoAP request PUT is sent to the uri-path /state on the RS, changing the state of the door to locked. F: The RS responds with an appropriate response over the secure DTLS channel. Resource Client Server | | |<=======>| DTLS Connection Establishment | | using Pre Shared Key | | +-------->| Header: PUT (Code=0.03) | PUT | Uri-Path: "state" | | Payload: <new state for the lock> | | F: |<--------+ Header: 2.04 Changed | 2.04 | Payload: <new state for the lock> | | Figure 20: Resource Request and Response Protected by OSCORE Acknowledgments This document is a product of the ACE Working Group of the IETF. Thanks to Eve Maler for her contributions to the use of OAuth 2.0 and Unlicensed Mobile Access (UMA) in IoT scenarios, Robert Taylor for his discussion input, and Mališa Vučinić for his input on the predecessors of this proposal. Thanks to the authors of "[POP-KEY-DIST]OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution" [POP-KEY-DIST], from where parts of the security considerations where copied. Thanks to Stefanie Gerdes, Olaf Bergmann, and Carsten Bormann for contributing their work on AS discovery from "Delegated CoAP Authentication and Authorization Framework (DCAF)" [DCAF] (see Section 5.1) and the considerations on multiple access tokens. Thanks to Jim Schaad and Mike Jones for their comprehensive reviews. Thanks to Benjamin Kaduk for his input on various questions related to this work. Thanks to Cigdem Sengul for some very useful review comments. Thanks to Carsten Bormann for contributing the text for the CoRE Resource Type registry. Thanks to Roman Danyliw for suggesting Appendix E (including its contents). Ludwig Seitz and Göran Selander worked on this document as part of the CelticPlus project CyberWI, with funding from Vinnova. Ludwig Seitz has also received further funding for this work by Vinnova in the context of the CelticNext project CRITISEC. Authors' Addresses Ludwig Seitz Combitech Djäknegatan 31 SE-211 35 Malmö Sweden Email: ludwig.seitz@combitech.com Göran Selander Ericsson SE-164 80 Kista Sweden Email: goran.selander@ericsson.com Erik Wahlstroem Sweden Email: erik@wahlstromstekniska.se Samuel Erdtman Spotify AB Birger Jarlsgatan 61, 4tr SE-113 56 Stockholm Sweden Email: erdtman@spotify.com Hannes Tschofenig Arm Ltd. 6067 Absam Austria Email: Hannes.Tschofenig@arm.com